DEV Community

Cover image for AWS Bastion Host / Jump Box
Jose Luis Sastoque Rey for AWS Community Builders

Posted on • Updated on

AWS Bastion Host / Jump Box

As systems administrators, we should keep updating the infrastructure applying security patches, installing the new versions of the operation system, and setting up applications correctly to strengthen the security of cloud technologic resources and achieve AWS Shared Responsibility Model. For doing these activities on EC2 instances and RDS databases are necessary to access securely.

In this post, we are going to see how to establish the connection with EC2 instances and RDS databases that are on private subnetworks (without access from the internet) through Bastion Host or Jump Box and using OpenSSH and MySQL Workbench tools. We will use the virtual private cloud (VPC) and subnetworks created on the post AWS Networking from scratch to protect the infrastructure by creating private and safe environments with network topologies and access control inbound and outbound communications to EC2 or databases RDS.

We start to create an EC2 Bastion Host instance, then provision EC2 and RDS instances on a private subnetwork and establish a connection to these instances through Bastion Hots. Let’s start:
 

Create Bastion Host.

Image description

It is an EC2 instance deployed on VPC and public subnet (with access from the internet) for the connection with EC2 instance and RDS databases on VPC and private subnet (without access from the internet) through SSH (Secure Shell) and TCP/IP communication protocols. The steps to create a Bastion Host are:
 

  • Use EC2 instance wizard. Choose AMI (Amazon Machine Image), for this example we use Amazon Linux 2 AMI.

Image description
 

  • Choose VPC and public subnet on EC2 instance detail configuration.

Image description

In the Post AWS Network from scratch we created the publicSubnet1A subnet with CIDR 192.168.0.0/27 and VPC 192.168.0.0/24, the route table and network access control list (NACL) allows internal and external communications.
 

  • Create a Security Group (Firewall) with the inbound rule to enable SSH connection through TCP/IP protocol and port 22 from our local machine IP address.

Image description
 

  • Create keys (public and private) for SSH authentication.

Image description
 

  • Review instance launch details and launch it.  

 
 

Create an EC2 instance on a private Subnet.

Image description

An EC2 instance is private when it is deployed on a subnet with communication restrictions from the internet. The steps to create an EC2 instance and deploy it on the private subnet are:
 

  • Use EC2 instance wizard. Choose AMI (Amazon Machine Image), for this example we use Amazon Linux 2 AMI.

Image description
 

  • Choose VPC and private subnet on EC2 instance detail configuration.

Image description

In the Post AWS Network from scratch, we created the privateSubnet1A subnet with CIDR 192.168.0.32/27 and VPC 192.168.0.0/24, the route table, and network access control list (NACL) allows only internal communications.
 

  • Create a Security Group (Firewall) with the inbound rule to enable SSH connection through TCP/IP protocol and port 22 from the security group of Bastion Host.

Image description
 

  • Create keys (public and private) for SSH authentication. These keys should be different from the Bastions Host keys to increase the security and reduce the risk to access many infrastructure resources when a third party gets access to the key.

Image description
 

  • Review instance launch details and launch it.

 
 

Create an RDS Database on a private Subnet.

Image description

An RDS Database instance is private when it is deployed on a private subnet with communication restrictions from the internet. The steps to create an RDS database and deploy it on the private subnet are:
 

  • Create a Subnet Group with VPC and at least two Subnetworks in two different availability zones in the AWS region:

Image description

In the Post AWS Network from scratch, we created the privateSubnet1A subnet with CIDR 192.168.0.32/27 on the availability zone us-east-2a and VPC 192.168.0.0/24, the route table, and network access control list (NACL) allows only internal communications. On the availability zone us-east-2b we have the subnet publicSubnet1B with CIDR 192.168.0.64/27 in the same VPC.
 

  • Create a Security Group (Firewall) with the inbound rule to enable MYSQL/Aurora connection through TCP/IP protocol and port 3306 from the security group of Bastion Host.

Image description
 

  • Use the RDS database, instance wizard. Choose the database engine, for this example we use MySQL:

Image description
 

  • Enter database instance identity and create database access credentials, Master username, and Master password:

Image description
 

  • Set up database connection properties, enter the values to VPC, Subnet Group (Created in step 1), enable public restrictions, security group (Created in step 2), choose availability zone where the private subnet is present (us-east-2) and port:

Image description
 

  • Enter database name:

Image description
 

  • Create a database.

 
 

SSH Connection to Bastion Host

Image description

For SSH connection to Bastion Host from our local machine, we can use SSH clients like OpenSSH, Putty, MobaXterm, WinSCP, and others. We need the public IP address or DNS of the EC2 instance (Bastion Host), the default user name of AMI used to create the EC2 instance, and a private SSH key. The steps to establish the connection are:
 

  • Find the public IP address or DNS in the EC2 instance details section:

Image description
 

  • Search the default user name of the AMI used to create the EC2 instance. The default user name of the Amazon Linux AMI is ec2-user.
     

  • From our local machine and using the OpenSSH command line, execute the command ssh-add -k to add Bastion Host private key (.pem) to ssh-agent:

Image description

On Windows, run the OpenSSH Authentication Agent service first to execute the command ssh-add.
 

  • Execute the command ssh {user-name}@{public IP address} with the user name and public IP address of EC2 instance to establish ssh connection:

Image description

 
 

SSH connection to EC2 private instance

Image description

With Bastion Host connection ready, we can execute the below steps from our local machine and with OpenSSH client to connect with EC2 private instance:
 

  • Find the private IP address on the EC2 instance details section:

Image description
 

  • Search the default user name of the AMI used to create the EC2 instance. The default user name of the Amazon Linux AMI is ec2-user.
     

  • From our local machine and using the OpenSSH command line, execute the command ssh-add -k to add EC2 private instance private key (.pem) to ssh-agent:

Image description

On Windows, run the OpenSSH Authentication Agent service first to execute the command ssh-add.
 

  • Execute the command ssh – J {user-name}@{public IP address} {user-name}@{private IP address}, with the Bastion Host user name and public IP address, and EC2 private instance user name and local IP address to establish SSH connection:

Image description

 
 

RDS private database connection

Image description

The steps to establish a connection with a private database using MySQL Workbench client from our local machine are:
 

  • Find the end-point and connection port of the database on RDS instance details.

Image description
 

  • Open MySQL Workbench wizard to set up TCP/IP connection over SSH. Enter the following fields:  

a. SSH Hostname: Bastion Host public IP address or DNS with port 22.

b. SSH Username: The default user name of the AMI used to create the EC2 instance. The default user name of the Amazon Linux AMI is ec2-user.

c. SSH Key File: Bastion Host Private key (.pem) for SSH authentication.

d. MySQL Hostname: End-point database connection (point 1).

e. Username: Database username.

f. Password: Database password.

Image description
 

  • Test connection

Image description

 
 

Conclusion

In this post, we learned the steps to establish a connection with EC2 and RDS private instances through Bastion Host. We used the OpenSSH and Workbench tools to connect with the EC2 instance and RDS database.
 

References

How can I use an SSH tunnel and MySQL Workbench to connect to a private Amazon RDS MySQL DB instance that uses a public EC2 instance?
 

SSH to remote hosts though a proxy or bastion with ProxyJump

Top comments (3)

Collapse
 
kallu profile image
Petri Kallberg

Nice and detailed explanation of bastion/jumphost setup. Have you thought about option of using SSM Session Manager and not having to expose your jumphost to internet (or any networks) at all? This would allow you to run ssh -sessions over SSM and connect directly from your laptop to VPC internal addresses, like poor-man-vpn.

Collapse
 
joseluissr profile image
Jose Luis Sastoque Rey

Agree, it is another alternative, I hope to write another post to explain how to use SSM to connect to EC2 private instance. Your articles look great, thank you to share.

Collapse
 
ezeeloginus profile image
Vikas Verma

This article is worthy of recognition and comment. I found this material attention-grabbing and engrossing. This is well-scripted and highly informative. These views appeal to me. This is how real writing is done. Thank you. Visit Us: ezeelogin.com